General

  • Target

    5423e534bc4687b2018b38f1894eaeee35eb892a20fd64d66eceebf0cf64d96a

  • Size

    215KB

  • Sample

    221218-a5r4ksdb4w

  • MD5

    0c12af9b2c0b3ab5bcb398e219995b17

  • SHA1

    c104074a5ef217e88a92899e9b5caf4f3b729da0

  • SHA256

    5423e534bc4687b2018b38f1894eaeee35eb892a20fd64d66eceebf0cf64d96a

  • SHA512

    8f301ec3486ceb2b341b51782af2b254caba574796864ee2d8091824309b6bf66d924791c8f74b7355199a259fb428669681b7d7259146d563177eb3a5ac0ae3

  • SSDEEP

    3072:IWmmqgUCLL5rZwRY+9zksC7fkJR/hUr2Bw9N8/g3xoCWfX1G3ERWR3Le:xmmqdCLLBXEz2wHhUBcg3CHEU0V6

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    8F56CD73F6B5CD5D7B17B0BA61E70A82

  • type

    loader

Targets

    • Target

      5423e534bc4687b2018b38f1894eaeee35eb892a20fd64d66eceebf0cf64d96a

    • Size

      215KB

    • MD5

      0c12af9b2c0b3ab5bcb398e219995b17

    • SHA1

      c104074a5ef217e88a92899e9b5caf4f3b729da0

    • SHA256

      5423e534bc4687b2018b38f1894eaeee35eb892a20fd64d66eceebf0cf64d96a

    • SHA512

      8f301ec3486ceb2b341b51782af2b254caba574796864ee2d8091824309b6bf66d924791c8f74b7355199a259fb428669681b7d7259146d563177eb3a5ac0ae3

    • SSDEEP

      3072:IWmmqgUCLL5rZwRY+9zksC7fkJR/hUr2Bw9N8/g3xoCWfX1G3ERWR3Le:xmmqdCLLBXEz2wHhUBcg3CHEU0V6

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks